Open issues/risks

E10S is slow going, so only slow progress can be made

Threat model needed

Stage 1: Definition

1. Feature overview

Process isolation is designed to separate Firefox into multiple processes, each with the least amount of privilege necessary. In doing so, the potential damage for a large number of Firefox vulnerabilities can be reduced. While implementing sandboxing is not a goal for the current phase of Electrolysis, we need to consider the architectural requirements for doing so now in order to effectively support sandboxing in the future.

We will do so by:

identifying high level of categories of threats that we could address via process isolation

determining the architectural implications of mitigating each category

selecting a threat model and architecture that will address it, and prototyping it

determining whether the chosen model is actually feasible within the current Gecko architecture

implementation roadmap

implement it

2. Users & use cases

Reduce the damage for various types of vulnerabilities within Firefox. This is a defense in depth measure.

3. Dependencies

4. Requirements

Define a threat model

Verify whether the implementation effectively mitigates the threats

Non-goals

Eliminate security vulnerabilities. Sandboxing can reduce the severity of a given bug (by reducing the privilege the malicious code runs with), but it doesn't not actually prevent nor fix the underlying bug.